This year’s Verizon Data Breach Investigations Report includes discussion on the insider threat. It notes that it is “entirely possible that malicious insiders and/or partners are flying under the radar and thus avoiding discovery.” The problem is that most insider breaches are only discovered after the event, and even then usually by fraud detection mechanisms. Preventing insider breaches that are non-financial in their nature is a particular problem.
Sky did not find and prevent one particular insider breach; but it did find and prove against the culprit after the event. Several third-party satellite dish service and repair companies set up in competition with Sky’s authorized provider. Sky was concerned about where these companies obtained their information about Sky’s customers.
Sky obtained and executed a search warrant against the third-party companies “when,” notes the judge, “an independent forensic computer expert took an electronic copy of the Digital database” they used. This evidence, plus statements from the companies concerned, pointed the finger at a Sky employee, Mr Lee. But this had to be proved. “It was agreed,” notes the judge, “that they would cooperate with Sky to enable ‘seeded’ data to be sent to Mr Lee so that its later use could be traced. The seeded data was found to have been supplied to Digital (one of the companies). It led to the termination of Mr Lee's contract of employment (with the fourth claimant) and, on 3 February 2011, his joinder as a defendant to the proceedings.”
Now Sir William Blackburne has found Lee guilty of misusing the Sky’s confidential information and infringing the firms' database rights. “Three distinct protections can apply to databases and their contents,” explains the Out-Law legal blog. “The information in a database can be protected by copyright; the database structure itself can be so creative that it is protected by copyright, and the whole database can be protected by the 'sui generis' database right. The contents of a database can also be subject to laws which protect confidential information.”
Lee has been found guilty of infringing Sky’s database rights. But the whole incident illustrates Verizon’s concerns: forensic action can detect the culprit; but it is very difficult for security software to prevent the incident when an insider is involved.